The CSS values spec basically says there's no security concerns:

This specification mostly just defines units that are common to CSS specifications, and which present no security concerns.

In the Blink Intent to Implement and Ship: Advanced attr() thread, multiple concerns have been raised that attr() can be used as a tool for data exfiltration of sensitive data like passwords, nonce, etc.

And it's a much easier-to-use weapon compared to attribute selectors, which has to exfiltrate attribute value character-by-character in an iterative/recursive manner.

Other than "try harder to block CSS injection", do we have other ideas to address the security concerns? For example, blacklisting certain attributes (e.g., nonce, value, etc.), or even whitelisting attributes allowed in attr() (as suggested by @mikewest here)?